Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=device-access-best-practices

Best practices

We don't recommend allowing access to the web admin console (HTTPS), CLI console (SSH), and the user portal from the WAN zone or over the SSL VPN port.

Web admin console

You can't allow web admin console access from all WAN sources. If you must give access, follow these best practices:

  • Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.

    You can't create the rule if you set the source network to Any or the source IP address to 0.0.0.0 because the firewall doesn't allow access to the web admin console from all WAN sources.

  • Use Sophos Central.

  • Use remote access or site-to-site VPNs.
  • Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).

Note

If you've allowed access in an earlier version, the firewall turns off access if there aren't any successful sign-ins from the WAN zone for 90 consecutive days. This applies to all deployments. Access given to specific WAN IP addresses and networks through a Local service ACL exception rule isn't impacted. These sources will continue to have access even if there are no sign-ins.

CLI console

Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.

For additional security, you can do one of the following:

  • Configure public-key authentication on Administration > Device access.
  • Use remote access or site-to-site VPNs.
  • Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).

User portal

For secure access from external networks, use VPNs and follow these best practices:

  • Provide only temporary access to download VPN clients or configuration to users.
  • Use remote access or site-to-site VPNs.
  • Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).
  • Make sure the user portal does not use the SSL VPN port.

For secure access based on user accounts, you can do the following:

  • Use multi-factor authentication (MFA) with one-time passwords for user accounts stored on Sophos Firewall. See Multi-factor authentication (MFA) settings.
  • Use the MFA options provided by External directory services.

Note

The firewall turns off access to the user portal from all WAN sources if there aren't any successful sign-ins from the WAN zone for 90 consecutive days. This applies to all deployments. Access given to specific WAN IP addresses and networks through a Local service ACL exception rule isn't impacted. These sources will continue to have access even if there are no sign-ins.

SSL VPN port

By default, all management services use unique ports. SSL VPN is set to TCP port 8443.

Warning

If you manually change the default ports, we strongly recommend that you use a unique port for each service. Using a unique port ensures that services are not exposed to the WAN zone even after you turn off access. Example: Don't use port 443 for both the user portal and SSL VPN. If you do, the user portal will remain accessible from the WAN zone when you turn off WAN access from this page.